This is what happens when your SSL certificate expires

What happens when your SSL certificate expires? This.

One of the most common questions we get asked is some variation on “what happens when your SSL certificate expires?” or “what happens if you don’t renew your SSL certificates on time?”

The answer is death. Swift ignominious death. Ever wonder what happened to Jeeves? Now you know. On the death certificate his cause of death just reads: “certificate expiry.”

That was a dark day for the internet…

Ok, so maybe that’s a little bit hyperbolic (and patently untrue). But certificate expiration can have some serious consequences. Today we’re going to talk about what happens when your SSL certificate expires, we’ll toss out some infamous examples of certificate expiration and we’ll even go into how to avoid accidentally letting your SSL certificates expire.

Let’s hash it out.

What happens when your SSL certificate expires?

Let’s start by answering the question we posed and then we’ll delve into some of the minutiae. SSL certificates facilitate the encryption of data in transit. By installing an SSL certificate on your website’s server, it allows you to host it over HTTPS and create secure, encrypted connections between your site and its visitors. This safeguards communication. SSL also authenticates the server.

SSL certificates are not valid forever though. They expire. There is an industry forum, the Certificate Authority/Browser Forum, that serves as a de facto regulatory body for the SSL/TLS industry. The CAB Forum dictates the baseline requirements that Certificate Authorities must follow to issue trusted SSL certificates. Those requirements dictate that SSL certificates may have a lifespan of no longer than 27 months (two years + you can carry over up to three months when you renew with time remaining on your previous certificate).

That means that every website needs to renew or replace its SSL certificate at least once every two years. So, what happens when your SSL certificate expires? It makes your sight nigh unreachable.

When a user’s browser arrives at your website it checks for the validity of the SSL certificate within milliseconds (it’s part of the SSL handshake). If the certificate is expired, it issues a warning like this:

You don’t need me to tell you that this message is essentially a death warrant for your site’s traffic, sales– whatever metric you value. While most browsers do offer an option to click through the warning, almost nobody does it. The average internet user may not know a ton about cybersecurity, but they know two things: computers are expensive and malware messes up computers. So if their browser tells them a website isn’t safe, or in this case that their connection isn’t secure, they are probably going to listen.

Wouldn’t you?

Why do SSL certificates expire?

This is a topic we’ve discussed quite a bit in the past, but here’s a quick rundown. As we mentioned earlier, SSL certificates help facilitate two things: encryption and authentication. The latter is the bigger culprit for certificate expiry. All SSL certificates authenticate something, even domain validation certificates authenticate a server. As with any form of authentication, you occasionally need to re-validate the information you’re using in order to make sure it’s accurate.

That’s especially true on the internet. Things change all the time. Websites change hands. Companies are bought and sold. And SSL/TLS is based on a trust model that can be undermined by that. So it’s important for Certificate Authorities that are issuing trusted certificates to ensure that the information they’re using to authenticate servers and organizations is as up-to-date and accurate as possible.

Let’s look at a practical example. Circuit City was an electronics and appliance retailer that went out of business about a decade ago. Now, imagine for a moment that SSL certificates didn’t expire. Circuit City’s assets have all been sold off or jettisoned, what if someone grabs the certificate and the domain it was issued for. Now they’re free to do whatever they want with that domain (until the certificate is revoked, but that’s a completely separate mess) and everyone’s browser would see this site as the legitimate article. Someone that didn’t realize the company was now defunct could easily be duped. After all, the certificate is legitimate.

That can’t happen. If anything, expect certificate lifespans to get shorter. At one point, SSL certificates could be issued for as long as five years. Then it was knocked down to three. Then last year it was down to two—which was a compromise because the original Google proposal was for one year. In the future certificate validity may be as short as 3-6 months. Let’s Encrypt issues 3 month certificates right now.

Authentication isn’t the only culprit for certificate expiry though. Having shorter certificate validity periods also makes it easier for the industry to roll out changes more quickly. For instance, a few years ago the SSL/TLS industry deprecated the use of SHA-1 as a hashing algorithm. As anyone that has ever ordered an SSL certificate knows, you pick the hashing algorithm during generation. With three year validity, in some cases you may have to wait as long as 39 months after the deadline before the certificate expires and SHA-1 is deprecated by that website.

Short validity periods fix this. If we were to phase out SHA-2 in favor SHA-3 (don’t worry, that’s not coming anytime soon) you could set a cutoff date for issuing SHA-2 certificates and within 27 (or 15 if it’s reduced to one year) months SHA-2 would be completely deprecated.

High Profile SSL Certificate Expirations

If you do accidentally forget to renew on time and let your SSL certificate expire, you can take some solace in knowing that you are not alone. Below, we’re going to keep a running list of high-profile SSL expirations:

In December of 2018, millions of people in the UK were without cellular coverage following the expiration of a digital certificate associated with Ericsson’s network. Ericsson, which is a Swedish cellular company, manufactures myriad back-end equipment for the world’s cellular networks. Thanks to an expired digital certificate in a version of Ericsson’s management software that is widely used by European telecommunications companies millions of cellular users experienced downtime.The outages initially affected software used by O2 and its parent company, Telefonica, but eventually the outages showed up downstream, too.

Equifax would have discovered the 2017 attack that compromised millions of peoples’ personal information a lot sooner if not for an expired digital certificate. For ten months, following the expiration of the certificate, Equifax couldn’t inspect the traffic running through its own network. That, in turn, caused it to miss the high-profile breach for 76 days, until the certificate was finally replaced and inspection resumed.

In the first half of 2018, Cisco had an issue that superseded regular SSL certificate expiration—Cisco had a root expire. As we discussed a few days ago, Roots certificates are an integral part of the SSL/TLS trust model. Seated at the top of the proverbial tree, Root certificates are used to sign and issue intermediates and end user SSL certificates. In this case, the root was attached to one of Cisco’s VPNs, meaning every certificate it issued to end users could have potentially become invalid, too. Fortunately, that doesn’t appear to have happened, users were just blocked from generating new end points.

Niantic seems to be having a bit of a resurgence with Pokemon Go, but back in January of 2018 the game was running into game-breaking bugs and a litany of other problems—one of which was the expiration of one its SSL certificates. The outage was short, lasting just about half an hour, but it was more egg on Niantic’s face at the time.

At the beginning of December 2017, LinkedIn allowed one of its SSL certificates to expire. It knocked out LinkedIn sites in the US, UK and Canada. As the VP of Venafi, Kevin Bocek said at the time:

“LinkedIn’s blunder demonstrates why keeping in control of certificates is so important. While LinkedIn will have thousands of certificates to keep track of, outages like yesterday’s show that it only takes one expiry to cause problems. To stay in control, organizations should look to automate the discovery, management and replacement of every single certificate on its network.”

In early 2017 Time Warner compounded the boneheaded oversight that let its email server’s SSL certificate expire by offering its customers some equally boneheaded advice on remedying the situation:

“…going into your email settings and disabling SSL will stop the pop-up message and re-enable the webmail fetch.”

This is terrible on so many levels. Let’s start with the fact that this is awful advice. Don’t ever disable SSL. Ever. Second, it’s incumbent upon the company that lets its SSL certificate expire to replace it in short order. It’s not the customers’ job to change their settings to compensate for that company’s negligence. Third, who the hell is still using Time Warner as an email service?

How to avoid letting your SSL certificate expire

Enterprise businesses have a different set of problems when it comes to certificate management. Whereas Small and Medium Sized Businesses (SMBs) may just have one, or a handful of certificates, Enterprise companies have sprawling networks, myriad connected devices and just a lot more surface to cover in general. At the enterprise level, allowing an SSL certificate to expire is usually the result of oversight, not incompetence.

We work with a lot of Enterprise companies on meeting these challenges. Here is some actionable advice on avoiding certificate expiry.

Whatever CA or SSL service you got your SSL certificates from will send you expiration notifications at set intervals starting at 90 days out. Make sure that you set these reminders to be sent to a distribution list and not just a single individual. The Point-of-Contact you used when getting the certificate issued may not be there by the time it expires. Maybe they moved on, got promoted or just drank a little too much at the office Christmas party and got canned—whatever the case you need to make sure the notifications are reaching the right people.

Identify the proper channels to escalate reminders as the expiry date approaches. For instance, at 90 days out you might just want to have the notification sent to your distribution list. At 60 days you have it sent to your list, and to your system admin. At 30 days you send it to both the list and the system admin, and now your IT Manager gets looped in.

Find a good certificate management platform. One of the biggest challenges facing enterprise businesses is visibility. You can’t replace expiring certificates if you can’t see them. We try to stay vendor agnostic, but DigiCert, Comodo and Venafi all have tremendous platforms that can help enterprises see and manage digital certificates across their entire infrastructure. Also, make sure you log in regularly so you can stay apprised of when you have renewals coming up.

Decide on what CA(s) you want to work with and then set up CAA records to restrict who can issue for your domains. This will help to eliminate the possibility of new rogue certificates being issued. The more you can consolidate your PKI into a single platform, the better off you’ll be.

Speaking of rogue certificates, find a good scanning tool and then use it regularly to find and track rogue certificates.

So, that’s what happens when your SSL certificate expires

Forgetting to renew or replace an expiring SSL certificate can happen to anyone. But there are a lot of tools available to help minimize the risk that poses. The key, as we’ve discussed, is having visibility and good lines of communication so you can get out ahead of expiration.

Eventually, things will be automated to the point where we don’t even have to think about this, but we’re not quite there yet. So bear with us a little longer.

13 comments

Very nicely written, good examples. Just wanted to add a while ago I found a very useful service — SSL Certificate Monitoring, now SSL/TLS Certificate Monitoring. If you are interested take a look at it at http://bit.ly/SSLTLSmonitor

You can’t hide that information, users’ computer systems and browsers need to know the validity dates so they know whether to trust the certificate. If you did manage to hide that, your site would be nigh unreachable because every browser out there is going to issue an interstitial warning (and no one clicks through those).

Do you have any ideas about what would cause our SSL certificate to expire before it’s due date? I manage a church website, which we set up with Clover a year ago. For the entire year, the SSL certicate switches off; they reset it, and within a couple of days it switches off again, even though the expiration date is shown as a year out. They have tried numerous things, but nothing has worked, and I believe they are out of ideas. Very frustrating for site visitors to get the dreaded “This site in not private” screen! They say we are their only client with this problem. I worry that a bug somewhere within our site will cause the same problem, even if we switch to a new website provider, so I have stuff with them all year through this agrevation!

Hi Donna, I’m really sorry to hear that. Without knowing more of the specifics with your website and hosting situation I can’t really offer too much advice, but is it OK if we have someone from our support staff reach out to you at the email you’ve provided? They may be able to help you.

I have a Google email acct which hasn’t been right since a fraudulent activity by a specific carrier CHANGED MY EMAIL ADDRESS, and created a CA which has been following me like the plague. In this phone— http://www.google.com Root Certificate is compromised. the 2 sub categories are either expired or have constraints that extend a foot across the screen.
On my phone (after many since July 2015), I see in the columns that some titles are accepted with. *.google.com. .*.goo.gle.com—–
but there is always an alert and the wrong algorithm on my computer, and since 2015, this carrier rep DELETED MY FB ACCOUNT on October 30th @ 6:30 pm EST.
It is now a phishing site, and I have tried to merge my 4 PAGES since 2009 with no success.
I’m very aggravated, and both Apple and Lenovo and Dell computers are useless, and I turned off the WiFi because I see what is going on. Things are clearer since 2013 when the initial breach by TWC, and a hacker in my neighborhood…..who charged me for a checkup and took all my C: files windows system 32 and padded all my components. This is very serious and I know Wh
hat the hackers name and email is when he changed my antivirus
program to Norton. the rep was confused and gave me his email thinking it was my antivirus
Get it? and it’s getting worse every day. I CAN GET NO HELP FROM YOU, ZUCK, GOOGLE, MICROSOFT, YET THE DEVICES HAVE BEEN WIPED CLEAN EXCEPT FOR THE PHOTOS WHICH ARE SEPARATE FROM MY DIGITAL CAMERA, ILLUSTRATING THESE CHANGES.
NOW WHAT?
THANKS
862 299 9886

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.